GIF Attack on Facebook Messenger Earned Hacker $10,000

A white hat hacker earned $10,000 from Facebook last year for finding a Messenger vulnerability that apparently could have been exploited to randomly obtain other users’ images.

In February 2018, Dzmitry Lukyanenka, a researcher who specializes in the security of Android applications, decided to check how Facebook Messenger for Android handled corrupt GIF files.

Inspired by one of the vulnerabilities discovered back in 2016 in the popular image processing suite ImageMagick, Lukyanenka generated some GIF files to see how they were processed.

He found a way to get the application to crash, but Facebook did not pay a bounty for this DoS flaw. However, the researcher noticed that a test GIF file that he had uploaded to Messenger, which should not have contained an actual image, was displayed as what he described as a “weird image” when the application was opened in a web browser on a laptop.

He played around with the size of the GIF and it got displayed similar to the picture on the screen of old TVs when there was no signal. After several tests, his GIF displayed a distorted version of an actual image.

That was when he realized that he was actually getting data from an image previously uploaded by a different user, which he described as a “random memory exposure” issue.

While Lukyanenka did not prove that the vulnerability could have been reliably exploited to obtain sensitive data, Facebook appears to have determined that it was a serious security hole and decided to award him a $10,000 bounty. The social media giant released a fix less than two weeks after being informed of the bug in late February 2018.

Users have speculated on Reddit on the cause of the vulnerability, and some admitted that it could have had serious security implications.

“He recovered most of somebody else's imagine. Imagine this was a picture of your children that you were sending privately to family or something. It's a pretty serious vulnerability, even if it can only be used to extract recently uploaded images,” one Reddit user noted.

Lukyanenka has published a blog post detailing his findings, along with a video showing the exploit in action.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.